Privacy Policy
How CrisisFlare collects, uses, protects, and deletes personal information — in plain language, with the real numbers.
Version 1.0 — 7 July 2026 · wording last updated 11 July 2026. This policy is in force now and reflects how CrisisFlare actually works today. It is written to the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), and is awaiting independent legal review — anything marked “to be confirmed” will be settled in that review. If we change how the service works, we update this page first.
1. Who we are
CrisisFlare (crisisflare.org) is a free, not-for-profit service that helps people in crisis find and connect with support services in Australia. It is currently operated by its founder, Graham Huf, while incorporation as a registered charity is completed [legal entity and ABN to be confirmed on incorporation].
CrisisFlare handles health-related and other sensitive information, so we operate on the basis that the Privacy Act and all 13 Australian Privacy Principles apply to us in full, and we hold ourselves to them [whether the Act binds the current entity as a matter of law is being confirmed in legal review].
Privacy contact: [email protected].
2. Our privacy promise
- We collect the least we can. Only what you choose to enter, only to help you.
- You don’t have to tell us who you are. The service works without your name.
- We never share your identity or contact with a service unless you say so. A service must offer to help you first, and then you decide.
- We never sell personal information, and there is no advertising or tracking. None. We count how the site is used only in anonymous totals — never who used it.
- We only ever ask for your area, never your exact address. Your suburb or postcode — and we ask you to keep what you type to that.
3. Anonymous by design
You can browse, answer the questions, and see matched services without an account, a name, an email, or a phone number. There is no sign-up for people seeking help.
If you raise a flare (a request for help), our systems create an anonymous session — a random identifier that lets your own device see your flare. It contains no name or contact detail. To pick things up on another device you can use a one-time resume code: we store only a cryptographic fingerprint (hash) of that code, never the code itself. A code stops working after 30 days, and its stored fingerprint is removed when you issue a new code or delete your data. Treat the code like a key: anyone who has it can see the flares it links to.
4. What we collect
If you are seeking help — on your device only (until you choose to share): your answers in the “find help” questions are saved on your own device so your search works, and are not stored in our database. They can include sensitive information — about your safety and family-violence circumstances, health, mental health, alcohol or other drug support needs, whether you are Aboriginal or Torres Strait Islander, LGBTQIA+ status, children with you, your suburb or postcode, and an optional note in your own words. You can skip any question. We only collect sensitive information you volunteer, and only use it to match you with the right kind of support (we rely on this as the consent the Privacy Act requires for sensitive information). “Quick exit” (or pressing Esc) instantly leaves the site and erases this from the device.
Two things are processed by our systems during the questions, transiently and without being stored: the postcode you type is sent to our suburb lookup (via Australia Post) to suggest suburb names, and the optional note — if you type one — is read once by an AI service to improve your matches (see section 7). Both travel without your name or contact details.
If you raise a flare, we collect and store: the kind of help you need, your area (stored as you type it — please keep it to a suburb or postcode, never a street address), a short summary in your words, general “who this is for” tags (for example women, families, young people), and — only if you choose to add them — a first name and one way to contact you. Your separate search radius and search postcode are used momentarily to work out which services are in range and are not stored.
If you message a service through CrisisFlare, we store those messages so the conversation works.
If a support worker is helping you, they may enter information on your behalf — this must only ever happen with your knowledge and agreement.
If you represent a partner service organisation: we collect your work email, a password (stored only as a secure hash), your multi-factor authentication enrolment, your organisation’s name and ABN, and — for verification — a contact name and email (please make sure that person knows you are providing their details) and any notes you provide. We check the ABN against the Australian Business Register. We never use an ABN or any other government identifier as our own identifier for a person; ABNs are used only to verify organisations.
If you register interest in supporting CrisisFlare (the “Support us” page): we collect the name, email, supporter type, and any message you choose to leave — used only to talk with you about supporting CrisisFlare, and you can opt out at any time (email [email protected] and we’ll remove you).
Our public service directory lists organisations, not individuals: it is built from the public ACNC Charity Register (used under its CC BY 3.0 (AU) licence) and details published on charities’ own websites (phone, email, hours — recorded with their source, never invented, and re-checked on a regular cycle). Charities can opt out of emails from us, and we honour it. Where a sole trader’s ABN or a published contact identifies a person, we treat it as personal information.
Technical information: like every website, network traffic (including IP addresses) passes through our infrastructure providers to deliver the site. We do not use IP addresses to identify people who use CrisisFlare, and we run no third-party analytics, no tracking cookies, and no fingerprinting — our security settings actively block them and we suppress referrer information. Our own application sets no cookies on the person-facing site; our security provider (Cloudflare) may set a short-lived security cookie if it challenges suspected bots.
Anonymous usage counts: to see what people need and fix the gaps, we count how the site is used — in anonymous totals only. For example: “a search for housing in NSW found no results.” These counts contain no name, no contact detail, no IP address, no device or session identifier, and no free text — search words are reduced to our fixed category list before counting, so nothing you type is stored. They cannot identify you or reconstruct anyone’s visit. Raw daily counts are deleted within about 35 days; only the aggregate totals (kept up to 24 months) remain. We also review our security provider’s network-level traffic statistics (such as total page views and the share of automated “bot” traffic) — figures about the site as a whole, not about any person.
5. How we hold and protect information
Our database and authentication run on Supabase in Sydney, Australia (region ap-southeast-2). Website delivery and our small server functions run on Cloudflare.
- Contact details are encrypted at rest. The name and contact detail on a flare are encrypted (AES) with a key held in a separate secure vault — not in the database. They can only be decrypted server-side, and only for a service that has offered to help you, that you have consented to, and whose staff member has passed multi-factor authentication.
- Deny-by-default access. Row-level security means every table starts inaccessible. Services see flares only through an anonymised view that excludes your identity; your messages are visible only to you and the one service in that conversation.
- Multi-factor authentication is mandatory for every service organisation account and every administrator. The admin console sits behind an additional access gate.
- Every privileged action is audited. An append-only log records consent grants and revocations, every reveal of contact details to a service, verification decisions, and administrator actions. Even an administrator reading a reported message is itself logged. Audit entries never contain a help seeker’s name, contact details, or the text of their note or messages (an administrative entry may record a staff member’s work email).
- Family-violence protections are structural. Family-violence-related requests route only to verified or partner organisations. If none are available, the request itself is not stored — we keep only an anonymous, area-level note that a need went unmet (no identity, no exact location), deleted within 90 days. Known confidential refuge locations are excluded from the public directory entirely, and we progressively re-review legacy listings.
- Abuse limits. Message rate limits and resume-code attempt limits protect against misuse.
If something goes wrong: we operate under a documented data-breach response plan built to the Notifiable Data Breaches scheme (being finalised in legal review). We assess any suspected breach promptly (within 30 days at the outside, aiming for far less) and notify the OAIC and affected people when required. Because our users include people at risk of violence, we treat any exposure of the identity or location of a person at risk as serious from the start — no one has to prove harm first, and we design notifications so they don’t create new danger (for example, on a monitored device).
6. Why we collect information
We collect and use personal information to: match you with services that fit your situation and have capacity; let you raise an urgent request for help; connect you with a service you choose; pass messages between you and that service; verify partner organisations; keep the service safe (preventing abuse and misuse); and understand service coverage and how the site is used — using de-identified, area-level records and anonymous usage totals only.
We do not sell personal information, use it for advertising, or use it for any marketing to people seeking help. When we email service organisations about joining CrisisFlare, we follow the Spam Act — we identify ourselves, contact published organisational addresses about directly relevant matters, and honour opt-outs immediately.
7. AI-assisted matching (automated processing)
One feature uses AI: the optional “anything else” note in the find-help questions. If you type something there, it is sent once to our AI provider (Anthropic) so their Claude model can suggest which of our fixed support categories your words describe — for example recognising “I can’t pay my electricity bill” as a need for financial help.
- It is sent without your name or contact details, used only for that one search, and never stored or logged on our servers. Under our agreement with Anthropic, it is not used to train AI models; Anthropic processes it transiently under its API terms, and we are finalising a zero-data-retention arrangement for this feature [status: requested, to be confirmed].
- The AI cannot make decisions about you. It can only add search categories from our fixed list, note a pet, or strengthen safety routing. Which services you see, and every safety rule (like gender-appropriate matching and refuge location protection), is decided by our own deterministic code — never by the AI.
- Leaving the box empty, or choosing “Skip”, means no AI is used at all, and the search works exactly the same way.
We disclose this automated processing voluntarily, ahead of the Privacy Act’s automated-decision transparency requirements commencing in December 2026.
8. When we share information
With a service you choose: until you consent, a service sees only a de-identified summary — the kind of help needed, the area, and your words in the summary. It cannot see who you are. One thing to know: your summary is shared exactly as you wrote it, so it’s best not to put your name or address in it (we say this on the form too). Your name and contact detail are revealed only after that service offers to help and you accept — and you can revoke that consent at any time, or block the conversation.
With our service providers: the providers listed in section 9 process limited data for us (hosting, email, the AI note, postcode lookup). They act under their own strict terms and do not get free use of your information.
If the law requires: if we are compelled by law (for example a court order), we share the minimum required and we push back on over-broad requests. Our strongest protection here is design: the safest record is one we never kept — which is why so little is stored, for so short a time.
Never: we never sell personal information, and we never share it for advertising.
9. Overseas disclosure (where data goes)
Our primary data store — everything in section 4 that we hold — is in Australia (Sydney). The providers we use, and where they process data:
- Supabase (database, authentication) — data stored in Sydney, Australia.
- Cloudflare (website hosting, delivery, security; US company with a global network including Australia) — handles website traffic, so it sees standard traffic metadata such as IP addresses.
- Anthropic (AI reading of the optional note; United States) — receives the note text only, with no name or contact details; not stored by us; not used for model training under our agreement. Also used, along with US-based infrastructure (GitHub), in our behind-the-scenes checks of charities’ published directory details — organisational data only, never anything about people seeking help.
- Australia Post (suburb lookup; Australia) — receives the postcode you type, and nothing else.
- Australian Business Register (government; Australia) — receives partner organisations’ ABNs for verification.
- Resend (email delivery; United States) — sends account emails (such as password resets) to service-organisation staff, and outreach emails to charities; it processes those email addresses and contents. It sends nothing to or about people seeking help.
- Google Workspace (our staff mailboxes; United States) — holds correspondence you send to us by email.
- Twilio (phone-number validation; United States) — used only to check that charity phone numbers in our public directory are valid. No personal information about people seeking help is ever sent to it.
Where a provider processes personal information outside Australia, we take reasonable steps under APP 8 — minimising what is sent (as described above) and relying on providers’ contractual data-protection commitments [the precise APP 8 mechanism is being confirmed in legal review]. Some providers (Cloudflare, Google) operate global networks, so traffic and email may also transit other countries.
10. How long we keep things (and how to delete everything now)
- Flares: a flare stays open for up to 6 hours if no service responds (extended to up to 7 days once a service offers to help). The record is deleted about 90 days after it was raised — automatically, every day.
- Your encrypted contact details: deleted with the flare.
- Messages: deleted with the flare they belong to (about 90 days after the flare was raised), and at most 365 days after being sent — or immediately if you delete your data.
- Resume codes: only a hash is stored; a code stops working after 30 days, and the stored hash is removed when you issue a new code or delete your data.
- Consent records: the consent itself is deleted with your flare; an audit entry recording that consent was given or revoked — anonymous identifiers only, never your name, contact, or words — is retained as proof.
- Audit and security logs: kept for accountability for a limited period — our target is no more than 24 months; an automatic deletion cycle for these logs is planned and not yet in place [period to be confirmed in legal review].
- Anonymous usage counts: contain no personal information (see section 4); raw daily counts are deleted automatically within about 35 days, and aggregate totals are kept up to 24 months.
- Encrypted backups: managed by our database provider and rotated on a limited cycle [rotation window being finalised — to be confirmed in legal review]; deletion requests are honoured as backups expire, and backups are never restored except in a disaster, in which case deletions are re-applied.
- Partner-organisation accounts: kept while the organisation remains registered with us, and removed on request [retention period being finalised — to be confirmed in legal review].
- Verification requests: the contact details on an organisation’s verification request are kept while the organisation is registered with us [retention period being finalised — to be confirmed in legal review].
- Supporter register: kept while we’re talking with you about supporting CrisisFlare; removed when you opt out or ask us.
- Reports: a report about a message or conversation is deleted with the flare it belongs to.
- On your device: your question answers and settings stay on your own device until you clear them — “Quick exit”, or “Clear from this device” in My flares, removes them instantly.
Delete everything, right now: in My flares choose “Delete all my data”. It permanently and immediately deletes — from our live systems — every flare linked to your session or resume code, your encrypted contact details, your messages, and your resume codes. Copies inside our encrypted backups are deleted automatically as old backups are replaced, and audit entries (which never contain your name, contact, or words) are kept per the audit-log line above. Our audit log records the deletion itself as a de-identified count. These retention periods are our operating settings and are marked for confirmation in legal review; deletion on request always overrides them.
11. Access, correction, and export
You can ask us for a copy of the personal information we hold about you, ask us to correct it, or ask us to delete it — free of charge. Email [email protected]. We aim to respond within 30 days; if we ever refuse (for example, a legal hold), we will explain why in writing. If you need this policy in another format (for example plain text or printed), email us and we’ll provide it.
We also take reasonable steps to keep information accurate and up to date: directory listings carry their source and are re-checked on a regular cycle, and we correct anything you tell us is wrong.
One honest quirk of anonymity: because we don’t know who you are, we may need your resume code to find the data that is yours — it is the only link between you and your flares. Without it, we often genuinely cannot locate your records (which is by design).
12. Complaints
If you think we’ve mishandled your information, email [email protected]. We will acknowledge your complaint within 7 days and aim to resolve it within 30 days.
If you are not satisfied, you can complain to the Office of the Australian Information Commissioner (OAIC) — oaic.gov.au, phone 1300 363 992, or by post — the current postal address is listed at oaic.gov.au.
13. A note if you are experiencing violence
If you are in immediate danger, call 000. For confidential family-violence support call 1800RESPECT (1800 737 732).
The Quick exit button (or pressing Esc) leaves this site instantly and clears it from the device. On a shared or monitored device, consider private browsing and clearing your history afterwards. We only ever store your area — never your exact location — and we never reveal your identity or location to a service without your consent. Known confidential refuge locations are excluded from this site entirely, and we progressively re-review legacy listings.
14. Children and young people
CrisisFlare can be used by young people seeking help, and by support workers helping someone of any age. We deliberately do not demand identity or age documents — for someone fleeing harm, a barrier is a risk. We apply the same minimal-collection and consent protections to everyone, and the questions are written in plain language. Consistent with OAIC guidance, we treat a young person as able to consent for themselves when they have the capacity to understand what they are agreeing to (generally presumed from around age 15). Our full approach to consent and capacity for people under 18 is [being finalised with legal review], and we are designing for the Children’s Online Privacy Code as it lands.
15. Changes to this policy
When we change how CrisisFlare handles personal information, we update this policy first and change the version line at the top. Material changes will be flagged on the site. Version 1.0 — 7 July 2026 · wording last updated 11 July 2026.
See also: Collection Notice (what we tell you at the moment we collect information) and the plain-language privacy overview.